Wireshark-users: Re: [Wireshark-users] Why are there a lot of ARP traffic inanetwork?

From: Martin Visser <martinvisser99@xxxxxxxxx>
Date: Fri, 24 Jul 2009 16:08:38 +1000
I think the first thing to look at it is try to see if there are particular patterns in the ARP.

Some questions to ask are :-

1. Are the ARP requests getting a response? If not, then the target of the ARPs is configured in the source machines but seems to not be reachable. This could be as simple as something like a primary DNS server having been configured but is no longer in service. Your clients will continually be trying to contact that DNS at first instance and hence need to use ARP.
2. Do you have proxy-ARP enabled on your router and do your clients have a wider network mask than the router? In this case your clients might be looking to connect to hosts beyond the router, and are receiving an ARP response for this router. This isn't used a lot today in networks but was popular in some environments. Note that this technique is similar to that used by stealthy packetsniffers like ettercap - not likely to be in your environment, but something to be aware of.


Regards, Martin

MartinVisser99@xxxxxxxxx


On Fri, Jul 24, 2009 at 9:00 AM, Ian Schorr <ian.schorr@xxxxxxxxx> wrote:


>I am looking at a 200-second trace with 10,511 packets, in this case
>there are 7,720 ARP packets (73.45%). Can I take it easy? What can I do
>to reduce those ARP packets in the network's traffic?


Is that 73% of all traffic, or 73% of broadcast/multicast traffic? 7720
ARPs in 200 seconds is less than 20kb/s, which in traffic terms seems
pretty small.


Yeah, forget about the *percentage* of traffic.  For one thing, you're talking about extremely low data rates here (whatever host(s) you're monitoring in that trace are virtually idle). 

Instead, look at how much traffic you're talking about in real terms.  7720 ARPs in 200 seconds is 38.6 frames/sec, and probably well lower than 20KByte/sec.  It seems a little high, for a 200-node network, I suppose, but nowhere close to what I'd consider a "problem" on a typical LAN.  Unless you have a really peculiar setup that'd be strangely affected by this kind of broadcast rate (some really incredibly slow hosts on the LAN that are extremely sensitive to unnecessary interrupts, or something), I'd say you can take it easy.

Why are you worried about it in the first place?  Just something you noticed when you were playing with Wireshark?

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe